Skip to product information
1 of 10

PayPal, credit cards. Download editable-PDF and invoice in 1 second!

GM/T 0030-2014 English PDF (GMT0030-2014)

GM/T 0030-2014 English PDF (GMT0030-2014)

Regular price $145.00 USD
Regular price Sale price $145.00 USD
Sale Sold out
Shipping calculated at checkout.
Quotation: In 1-minute, 24-hr self-service. Click here GM/T 0030-2014 to get it for Purchase Approval, Bank TT...

GM/T 0030-2014: Cryptographic server technical specification

This standard defines the relevant terms of cryptographic server, and specifies other related content of cryptographic server, such as functional requirements, hardware requirements, software requirements, security requirements and test requirements. This standard applies to the development and usage of cryptographic server, and it can also be used to guide the test of cryptographic server.
GM/T 0030-2014
GM
CRYPTOGRAPHY INDUSTRYSTANDARD
OF THE PEOPLE REPUBLIC OF CHINA
ICS 35.040
L80
File No.. 44631-2014
Cryptographic server technical specification
ISSUED ON. FEBRUARY 13, 2014
IMPLEMENTED ON. FEBRUARY 13, 2014
Issued by. State Cryptography Administration
Table of Contents
Foreword ... 4
1 Scope .. 5
2 Normative references ... 5
3 Terms and definitions ... 5
4 Symbols and abbreviations ... 8
5 Functional requirements of cryptographic server .. 8
5.1 Initialization ... 8
5.2 Crypto-operation.. 8
5.3 Key management ... 9
5.4 Random-number generation and test ... 11
5.5 Access control ... 11
5.6 Device management .. 12
5.7 Log audit ... 12
5.8 Equipment self-test.. 12
6 Hardware requirements of cryptographic server ... 12
6.1 External interface ... 12
6.2 Random-number generator ... 13
6.3 Environmental adaptability ... 14
6.4 Reliability ... 14
7 Software requirements of cryptographic server ... 14
7.1 Basic requirements.. 14
7.2 Application program interface (API) ... 15
7.3 Management tool.. 15
8 Security requirements of cryptographic server ... 15
8.1 Cryptographic algorithm ... 15
8.2 Key management ... 15
8.3 System requirements ... 16
8.4 Use requirements ... 16
8.5 Management requirements ... 16
8.6 Physical security protection for equipment ... 17
8.7 Device state ... 17
8.8 Process protection... 17
9 Test requirements of cryptographic server ... 17
9.1 Inspection of appearance and structure ... 17
9.2 Test of submitted documents ... 18
9.3 Function test ... 18
9.4 Performance test .. 21
9.5 Environmental adaptability test ... 23
9.6 Other tests ... 23
10 Qualification evaluation .. 23
Cryptographic server technical specification
1 Scope
This standard defines the relevant terms of cryptographic server, and specifies other related content of cryptographic server, such as functional requirements, hardware requirements, software requirements, security requirements and test requirements.
This standard applies to the development and usage of cryptographic server, and it can also be used to guide the test of cryptographic server.
2 Normative references
The following documents are essential for the application of this document. For dated references, only the dated version applies to this document. For undated references, the latest edition (including all amendments) applies to this document.
GB/T 9813 Generic specification for microcomputers
GM/T 0005 Randomness test specification
GM/T 0018 Cryptographic equipment application interface specification
3 Terms and definitions
The following terms and definitions apply to this document.
3.1
Cryptographic server
It is also known as host encryption server; it is the equipment which can provide independently or in parallel multiple application entities with cryptographic service and key management.
3.2
Symmetric cryptographic algorithm
It is a cryptographic algorithm which uses the same key to encrypt and decrypt. key-pair and encryption key-pair. It is used for device management to represent the identity of cryptographic server.
Key encryption key. It is symmetric key that is periodically replaced to protect session key in the case of a pre-assigned key. Cryptographic server may choose to support key encryption key.
Session key. It is used for data encryption-decryption.
5.3.3 Key generation and installation
Manager key. It is generated or installed by the management tool which is used in device initialization; it is stored in a secure storage area inside cryptographic server.
User key. User key consists of signature key and encryption key. Signature key is generated or installed by cryptographic server; it must support the use of physical noise source chip to generate, and it must support the use of strong prime numbers. Encryption key is issued by key management system to the device; the format for issuing the encryption key follows the rules for the protection format of the encryption key given in GM/T 0018; and the storage area for a certain number of user key-pairs must be supported according to the system requirements. The private key of user key-pairs must support hardware internal secure storage; it is appropriate to support the security access control of private key access password.
Device key. Device key consists of signature key and encryption key. Signature key is generated or installed by using management tool when the device is initialized; encryption key is issued by key management system to the device. Device key stores the security storage area inside cryptographic server. Key encryption key. It is generated or installed by cryptographic equipment management tool, which must support the generation of physical noise source chips; the storage area for a certain number of key encryption key must be supported according to the system requirements; this key must support the secure storage inside cryptographic server.
Session key. It must support to use the generation of physical noise source chips to ensure the quality of session key; it must support that one session replaces one session key. Cryptographic server must not be exported in
plaintext. When session key is stored for a long time, it must support the security protective measures of user key-pair or key encryption key for encrypted storage.
5.3.4 Key usage
Symmetric key. According to symmetric key index-number or other key unique interface, management operations can be carried out, such as key generation, installation, backup, recovery, and log query.
Management personnel shall be identified into the management interface. Different management operations shall have different operating authorization. 5.6 Device management
It is appropriate for cryptographic server to have the management function of accepting management center; the implementation of device management
function shall be carried out according to the requirements of state cryptography administration competent department.
5.7 Log audit
Cryptographic server shall provide the function of log recording, log viewing and log exporting.
Log content includes.
a) Administrator operation behavior, including login authentication, system configuration and key management;
b) Abnormal events, including records of abnormal events, such as
authentication failure and unauthorized access;
c) If it is connected to equipment management center, record the
corresponding operation.
5.8 Equipment self-test
Cryptographic server shall have the function of self-test at power-on and when receiving self-test command.
Self-test function of equipment shall include the correctness checking of cryptography algorithm, the test of random-number generator and the test of storage key and data integrity.
6 Hardware requirements of cryptographic server
6.1 External interface
Cryptographic server shall provide service interface and management interface respectively.
It supports external RJ-45 Ethernet interface, serial interface, fiber channel, USB and other hardware interface protocols of current mainstream servers. It ?€? Test items. Test the collected random-numbers according to the 12 item- tests of GM/T 0005, except for discrete Fourier test, linear complexity test, universal statistical test.
?€? Test-pass standard. If one item fails to pass the standard during the test, warn that the test is not qualified.
The repetition of random-number collection and test is allowed for only once; if it is still not qualified through repeated test, determine random- number generator of products to lose efficacy.
?€? Test cycle. It is configurable; test interval is at most 12 h.
2) One-time test
?€? Test quantity. It is determined according to the size of random-number which is collected in practical application each time, but the length shall not be less than 128 bits; moreover, the unused sequence that has
passed the test may continue to be used.
?€? Test items. Poker test. When the sample length is less than 320 bits, the parameter m = 2.
?€? Test-pass standard. If one item fails to pass the standard during the test, warn that the test is not qualified.
The repetition of random-number collection and test is allowed for only once; if it is still not qualified through repeated test, determine random- number generator of products to lose efficacy.
6.3 Environmental adaptability
The working environment of cryptographic server shall follow the requirements about ?€?Climate and Environment Adaptability?€? in GB/T 9813 according to actual demand.
6.4 Reliability
The mean time between failures of cryptographic server shall not be less than 10000 h.
7 Software requirements of cryptographic server
7.1 Basic requirements
The underlying s...

View full details